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Pervasive user-centric applications are systems which are meant to sense the presence, mood, and 
intentions of users in order to optimize user comfort and performance or to assist people in their spe- 
cific activities. Building such applications requires not only state-of-the art techniques from artificial 
intelligence but also sound software engineering methods for facilitating modular design, runtime 
adaptation and verification of critical system requirements. 

In this paper we focus on high-level design and analysis, and use the algebraic rewriting language 
Real-Time Maude for specifying applications in a real-time setting. We propose a component-based 
approach for modeling pervasive user-centric systems in a generic way and show how to instantiate 
the generic rules for a simple out-of-home digital advertising application and how to analyze and 
prove crucial properties of the system architecture through model checking and simulation. For 
proving time-dependent properties of systems we use Metric Temporal Logic (MTL) and present 
analysis algorithms for model checking two subclasses of MTL formulas: time-bounded response 
and time-bounded safety MTL formulas. The underlying idea is to extend the Real-Time Maude 
model with suitable clocks and to transform the MTL formulas into LTL formulas over the extended 
specification. This makes it possible to use the LTL model checker of Maude for verifying real 
time system properties. It is shown that component-based Real-Time Maude specifications as well as 
their extensions by clocks are time-robust and finite state; moreover, the above classes of formulas are 
tick-stabilizing if their atomic propositions are tick-stabilizing. As a consequence, model checking 
analyses are sound and complete for maximal time sampling. 

The approach is illustrated by a simple adaptive advertising scenario in which an adaptive adver- 
tisement display can react to actions of the users in front of the display. 

Keywords: Component-based software engineering, reconfiguration, algebraic specification, term 
rewriting, Real-Time Maude, real-time temporal logic 

1 Introduction 

As we are moving on from desktop computers to a pervasive computing intelligence interwoven in the 
"fabric of everyday life", our environment is about to become enriched with more and more smart assis- 
tance systems. 

Through this transformation, it becomes feasible for IT systems in our environment to measure re- 
sponses of the user's body through sensors and cameras and to influence our physical, emotional and 
cognitive state for our, the users, benefits. We call such systems pervasive user-centric applications [QjO. 
Examples are a so called "mood player" which selects the music according to current mood of a person, a 
"driving assistant" which implements adaptive control in vehicles to achieve more secure, more pleasant 

*This work has been partially sponsored by the EC project REFLECT, IST-2007-215893. 
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and more effective driving, or "adaptive advertising" where the displayed content of an advertisement is 
dynamically adapted to the needs of the actual audience in front of the display HI. 

Building pervasive user-centric applications is not easy, and requires state-of-the art techniques from 
artificial intelligence including machine learning and probabilistic reasoning, as well as a lot of system 
calibration and experimental psychological research in order to determine the right sensor parameters 
for recognizing the mood or the cognitive state of a person. As a consequence, from the software engi- 
neering point of view it is important that such systems are easily changeable and adaptable at runtime; 
moreover, they need to react immediately to the behavior of the user and thus have to satisfy (soft) real- 
time constraints. In the REFLECT project 0] we have developed a component-based framework 
which facilitates modular design, runtime adaptation and reconfiguration of systems and supports the 
implementation of pervasive user-centric applications (such as the ones mentioned above) in a flexible 
way. 

In this paper we focus on the high-level design and analysis of pervasive user-centric applications 
in order to be able to make guarantees on the correct behavior of such systems in an early stage of 
development. We follow the algebraic paradigm based on term rewriting and use Real-Time Maude as a 
high-level formal modeling language for pervasive user-centric applications in a real-time setting. 

In line with the REFLECT framework we propose a component-based approach for modeling perva- 
sive user-centric applications in a generic way and show how to instantiate the generic rules for a simple 
out-of-home digital advertising application and how to analyze and prove crucial properties of the system 
architecture through model checking and simulation. 

In our approach components are considered to be black boxes, making explicit only their communica- 
tion requirements by means of required and provided ports. A system configuration comprises a number 
of components and connectors, which describe how the required ports are connected to suitable provided 
ports. We distinguish three kinds of components: basic components, timed components whose behav- 
ior is influenced by timers, and hierarchical components (often just called components) which typically 
contain other components and connectors as well as timers. Generic rules are defined for transmitting 
values along connectors as well as for time elapse and the specifications of different kinds of timers. 

Individual components provide parts of the functionality required by the entire system. By chang- 
ing connectors, adding and removing individual components, the system's behavior can be changed at 
runtime. This process is called dynamic reconfiguration. Since entire components are replaced, little 
code needs to be added to the components to achieve this kind of adaptivity. Instead, it is attained on the 
level of the system architecture. In our approach, timed monitor components survey the behavior of the 
system and the environment, and trigger reconfigurations if necessary. 

For proving properties of systems we use Metric Temporal Logic (MTL) |[T0ll . This is an extension 
of Linear Temporal Logic (LTL) fTTl for specifying timed properties. Currently, Real-Time Maude does 
not provide an MTL model checker. However, in previous works, cf., e.g. [15 ], Olveczky showed how 
to verify some simple MTL formulas by using the time -bounded search command of Real-Time Maude 
or the LTL model checker of Maude. In [13], Lepri et al. present an automatized analysis algorithm of 
two important classes of MTL formulas, namely the bounded response property \3(p — > (0<fo<?)) and 
the minimum separation property □(/? — > (p W (□<£-!/?))). The underlying idea is to extend a Real- 
Time Maude model by a suitable clock and to transform the MTL formulas into LTL formulas over the 
extended specification. Then the LTL model checker of Maude can be used for performing the analysis. 

In this paper, we extend these ideas and present analysis algorithms for two further and more general 
classes of MTL formulas: 

1. Generalized time-bounded response: □ (\/ ! - e /(0<&,<7()) for / = {1,2, ... ,n} C N a finite set of in- 
dices, and 
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2. Time-Bounded safety: □(pVD<^) 

(where qt, q, and p are all atomic propositions). 

We show that component-based Real-Time Maude specifications as well as their extensions by clocks 
are time-robust and finite state; moreover, the above classes of formulas are tick-stabilizing if their atomic 
propositions are tick-stabilizing. As a consequence (cf. lfl6l . model checking analyses are sound and 
complete for maximal time sampling. 

Throughout the paper we illustrate our modeling and analysis techniques by a simple scenario of 
adaptive advertisement. 

The paper is organized as follows: In Section[2]we present the adaptive advertising case study which 
we use as running example. The following Section [3] contains a short introduction to Real-Time Maude. 
Sections |4] and [5] present our main results. In Section [4] we explain our generic framework for speci- 
fying component-based systems and the Real-Time Maude specification of the adaptive advertisement 
scenario. The transformation algorithms for the time-bounded response and time-bounded safety formu- 
las are presented in Section [5j we show also completeness and termination of LTL model checking for 
our format of component-based specifications and illustrate our results by applying the Maude model 
checker successfully to the requirements of the adaptive advertisement scenario. In Sections [6] and [7] we 
discuss related work, summarize our results and discuss further work. 

2 An adaptive advertising application 

To showcase our approach to system verification, we consider a simple out-of-home digital advertising 
application 0. The setup of this application consists of a large display screen and a camera monitoring 
the area in front of the display, and by this allowing interactions of passer-bys with the displayed content. 
The general idea of adaptive advertising is to adapt a displayed advertisement to the current situation in 
front of it - whether there are several people just passing by, a small group of persons watching the ad 
carefully, or just one person in front of it waiting for someone else [5]. In this simplified example, we 
consider the camera as a way to enable gesture-based interactions with a passer-bys and to discover their 
presence. 

A simple scenario within the adaptive advertising setting is an adaptive car advertisement, reacting 
to gestures of users in front of the display: By moving around the display, pointing at items or looking 
at them, the users influence the contents of the ad. To function properly this system should satisfy the 
following two requirements: (Gl) Being an interactive ad, the system should react to a user in front of 
the display. (G2) The content displayed must change at least every ten seconds: an advertising campaign 
using a large-scale display should not waste its capabilities by showing static content. 

The realization shown in figure [T] (components that are present but inactive are shown in light-gray) 
is first deployed in interactive mode and monitors whether someone is interacting with the ad. If that is 
not the case, a reconfiguration is triggered which altering the system configuration so that it shows auto- 
active content generated by a presentation component, e.g. an advertising movie or predefined animation 
sequences. Introducing monitors allows a partial solution to assume that the environment exhibits certain 
features (e.g. always have someone interacting with the ad) that it does not exhibit in the general case. 
Note that the second system (figure[TJ right) also needs monitoring, as it again does not satisfy (Gl): The 
second system provides interactive content to its viewers, and therefore must be changed as soon as a 
person is in front of the display, interacting with it. 

Reconfiguration leads to further requirements; in particular, system configurations should reasonably 
stable so that the system does not oscillate between several configurations. This can be expressed as 
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Figure 1 : Adaptive advertising system configurations 

follows: (G3) a reconfiguration should not happen instantaneously, but must take at least 200 ms to 
complete. 



3 Real-Time Maude 

Real-Time Maude [ 17] is a formal specification language based on Maude 0, a high-performance sim- 
ulation and model checking tool which uses rewriting logic and membership equational logic for the 
specification of systems. Real-Time Maude extends Maude by supporting the formal specification of 
real-time system while benefiting from the expressiveness of the Maude language and the powerful anal- 
ysis techniques like LTL model checking. In this section, we will briefly introduce the main concepts 
of specifications in Real-Time Maude; we refer to JTTIl for more details on the syntax and semantics of 
Real-Time Maude. 

In Real-Time Maude, real-time systems are formally specified by a real-time rewrite theory of the 
form M = (l.,E,IR,TR) where (L,E) is a membership equational logic [7] theory with £ a signature 
and E a set of confluent and terminating conditional equations, and IR is a set of instantaneous (rewrite) 



M. Wirsing, S. S. Bauer & A. Schroeder 



5 



rules specifying the system's transitions which happen in zero time. Instantaneous rules are written 

crl [/] : t => t if cond . 

where / is a label, t, t' are terms, and cond is a condition on the terms t, t'. Finally, TR is a set of tick 
(rewrite) rules which specify how the system behaves when time advances. Tick rules are written 

crl [/] : {t} => {t 1 } in time T if cond . 

where { _} is a constructor of sort GlobalSystem, and T is a term of sort Time which denotes the duration 
of the tick rule. The form of the tick rules ensure that time advances uniformly in the whole system. 

A one-step rewrite, written t A t' , is a single rewrite of a term t to a term t' (both of sort GlobalSystem) 
in time r (possibly zero time). We call t the source state of the rule t — > t' , and t' the target state. A (timed) 
path in is an infinite sequence n = to -A t\ ^-t%... where either for all i € N, -A is a one-step 
rewrite of £%, or there exists a k G N such that for all < i < k, ti -V ti + \ is a one-step rewrite in and 
there is no one-step rewrite from fj in and tj = t% and ry_i = for each j > k. The set of all timed 
paths of starting in t is denoted by Paths(&) t . For k 6 N, we define % k to be the timed path starting 
after the &fh one-step rewrite, i.e. 7l k = t% 4 +2 .... A term t' is reachable from a term t in 

in time r if there is a path K = to . . • ^ • • • such that = ?' and E^o r; '- 

Function symbols / are declared by the statement / : s\...s n -> s with sorts s\,...,s n ,s, and 
equations are written eq t = t'. A variable x of sort s is declared by the statement var x : s. 

In object-oriented Real-Time Maude, classes are declared by 

class C I att\ : s\, att n : s n . 

where att\ att n are attributes of sorts si,...,s n , respectively. An object of class C is written as a term 

< o : C I att\ : val\ , . . . , att„ : val n > 

of sort Object, where o is an object identifier of sort Did and vah are the current values of attributes 
atti (1 < i < ri). A system state is a collection of object^jand is of sort Collection which is a multiset 
equipped with an associative and commutative union operator with empty syntax, e.g. 

< o : C I att\ : val\, att„ : val„ > < o : C | att[ : val[ , att m : val' m > ... 

represents a system state consisting of the objects o, o', ... . Real-Time Maude supports multiset rewriting, 
i.e. rewrite rules are applied modulo associative and commutative rewriting of the system state. In object- 
oriented Real-Time Maude specifications, the time-dependent behavior is usually specified by a single 
tick rule of the form 

var C : Configuration . var T : Time . 

crl [tick] : {C} => {delta(C,T)} in time T if T <= mte(C) A cond [nonexec] . 

The function delta defines the effect of time elapse on a configuration, and the function mte defines 
the maximum amount of time that can elapse before some action must take place. These functions 
distribute over the objects in a configuration and must be defined for all single objects to defined the 
timed behavior of a system. The tick rule advances time nondeterministically by any amount T less than 

'in Real-Time Maude, states in object-oriented specifications usually contain messages which are used to model communi- 
cation between objects. However, in our case study, we will not make use of messages and let objects "directly" communicate, 
i.e. the effect of communication between two objects is modeled by a rewrite rule having both objects in source and target state. 
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or equal to mte (C) . To execute such rules, Real-Time Maude offers a number of time sampling strategies, 
so that only some moments in time are visited. In this paper, we will only make use of the maximal time 
sampling strategy which advances time to the next moment when some action must be taken, as defined 
by mte, i.e. when the tick rule is applied in a state {C}, time is advanced by mte(C). The above form 
of the tick rule slightly differs from the usual form proposed in IPT71 by allowing an additional condition 
cond (T must not occur in cond). 

A Real-Time Maude specification is executable and various formal analysis methods are supported. 
For a complete overview of these methods see, e.g., IfTTl . In this work we make use of the time- 
unbounded model checking command 

(mc t I =u . ) 

for an initial state t and a temporal logic formula . 

In the rest of this paper, when we talk of a real-time rewrite theory M we typically mean the real-time 
rewrite theory £% max which is obtained from S% by applying the theory transformation corresponding to 
using the maximal time sampling strategy when executing the tick rules. 



4 Modeling in Real-Time Maude 

In this section we show how our case study, the digital advertising application, as described in Sect. [2] 



can be modeled in Real-Time Maude. For this purpose, we first present in Sect. 4. 1 an implementation of 



a generic, port-based component model in object-oriented Real-Time Maude. Then we show in Sect. 4.2 



how our case study described in Sect. [2] can be modeled as self-reconfiguring component-based system. 



4.1 Defining Components in Object-Oriented Real-Time Maude 

Components are encapsulated entities with explicit ports over which communication take place. A port 
is modeled as an object instance of the class Port having one attribute value describing the current state 
of the port. 

class Port I value : Bool . 
The value of a port models the state of activity: a value true models the fact that at this port, a signal is 
received (or sent) via this port whereas false means that no signal is received (or sent). 

A port always belongs to a unique component and may have two roles: either it is a provided port 
or a required port of this component. All provided ports are under the control of the owning component 
and therefore, the state (i.e. the value) of a provided port can only be changed by its owning component. 
In contrast, the value of a required port cannot be changed by the owning component but can only be 
changed by the environment - in this sense, a component can only react on different states if its required 
ports. 

We introduce three different types of components: basic components, timed components, and hier- 
archical components (or just component). For these three different types of components we introduce 
the following (sub-)classes using inheritance, i.e. timed component inherits from basic component, and 
component inherits from timed component. 

class ABasicComponent I prov : Configuration, req : Configuration . 

class ATimedComponent I tstate : Configuration . 

class AComponent I assembly : Configuration, innerreq : Configuration . 

subclass ATimedComponent < ABasicComponent . 
subclass AComponent < ATimedComponent . 
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The different types of components are also illustrated in Fig. [2] A basic component has a set of provided 
(prov) and required ports (req), and both attributes are modeled as instances of type Configuration. 
However, we assume that the multisets prov and req only contain object instances of type Port. A 
timed component inherits from basic component and has an additional attribute (t state) which models 
a timed data state which need not be time invariant. For timed data states we refer the reader to the end of 
this section. Finally, hierarchical components embody an inner assembly (assembly) of connectors and 
components, and inner required ports (innerreq) that are connected to provided ports of components 
within the inner assembly. 

For each type of component we actually introduce two classes, e.g. for basic components, we define 
an abstract class ABasicComponent and a concrete class BasicComponent and only allow object in- 
stances of the concrete class. This discrimination between abstract and concrete classes allows to define 
both common rewrite rules and equations applicable to all component types, and rules and equations 
applicable to a particular type of components only. The class definitions are hence as follows: 

class BasicComponent . 
class TimedComponent . 
class Component . 

subclass BasicComponent < ABasicComponent . 
subclass TimedComponent < ATimedComponent . 
subclass Component < AComponent . 

For timed components (and hence for hierarchical components), a timed data state (attribute tstate) 
is a set of timers which decrement their value by the advanced time. In our case study later on, we need 
three different types of timers, all modeled as classes. 

class Timer I value : Timelnf . 

class DnOff Timer I value : Timelnf, active : Bool . 

class DelayTimer I value : Timelnf, delay : Timelnf . 

The class Timer models a simple timer which has an attribute value for the current time value of type 
Timelnf. The class OnOf fTimer has an additional attribute active to switch the timer on and off. 
Finally, the third class DelayTimer is another timer class which contains - beside the timer value - an 
attribute delay. If the DelayTimer expires the timer value is reset to the fixed delay. 

Components communicate over their required and provided ports which are connected by connectors. 
More precisely, we distinguish between two types of connectors: On the one hand, a class Connector 
models all connectors which link a provided port with a required port on the same level of the component 
hierarchy (i.e. not crossing component boundaries). On the other hand, a class DelegateConnector 
models all delegate connectors which link, within hierarchical components, ports in the assembly with 
either outer ports or inner required ports. 

An overview of all types of connectors is given in Fig. [3] 

(1) A connector links a provided and required port, on the same level of component hierarchy. 
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Figure 3: Connectors and Delegate Connectors 

(2) A delegate connector links either 

(a) a provided port of an inner component (source) with an outer provided port (target), or 

(b) a provided port of an inner component (source) with an inner required port of the comprising 
hierarchical component (target), or 

(c) an outer required port (source) with a required port of an inner component (target). 

Connectors are again modeled as object-oriented classes Connector and DelegateConnector, 
each having two attributes source and target which are object identifiers of instances of class Port. 

class Connector I source : Oid, target : Oid . 

class DelegateConnector I source : Did, target : Oid . 

Component behavior is modeled in an abstract way by defining an operation beh on configurations. 

op beh : Configuration -> Configuration [frozen (1)] . 

The behavior of a component can be defined then by introducing equations for beh. This abstract behav- 
ior operation is used in the following generic (instantaneous) rewrite rules. 

We define generic, instantaneous rules for transmitting values along connectors. The following rule 
[transmit] assumes two (arbitrary) components with connected provided and required ports; if the 
value of the provided port is not equal to the required port value, then the latter value is changed accord- 
ingly such that afterwards, both connected ports have equal values. A necessary condition for this rule is 
that the target component which alters one of its ports is in a consistent state. A (hierarchical) component 
is called consistent if within its assembly, all connected ports are equal in value. 

crl [transmit] : 

< ol : ABasicComponent I prov : < pi : Port I value : b > PORTS > 

< c : Connector I source : pi, target : p2 > 

< o2 : ABasicComponent I req : < p2 : Port I value : b' > PORTS' > 
=> 

< ol : ABasicComponent I prov : < pi : Port I value : b > PORTS > 

< c : Connector I source : pi, target : p2 > 

beh(< o2 : ABasicComponent I req : < p2 : Port I value : b > PORTS' >) 
if b =/= b' and 

consistent (< o2 : ABasicComponent I req : < p2 : Port I value : b' > PORTS' >) . 

Note that in the above rule, the abstract operation beh modeling the component behavior is called on 
the receiving component which may react on its new state, more precisely, the altered state of its required 
ports. It is also worth mentioning that this rule is defined uniformly on all types of components by 
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using ABasicComponent; every "concrete" component (of type BasicComponent, TimedComponent, 
Component) is a subclass and hence inherits this rewrite rule. 

For propagation of port values along connectors, each type of connector has its own behavior modeled 
as a rule. The rule [transmit] models the behavior of a connector, and since we have three different 
types of delegate connectors, we have also three more rules which do not described here in detail: A rule 
[delegateln] equals inner required port with outer required port, a rule [delegateOut] equals outer 
provided port with inner provided port, and a rule [delegatelnnerPort] equals an inner required port 
of the comprising hierarchical component with an inner required port (in the assembly). 

Finally, we have the tick rule which advances time up to the maximal possible amount of time deter- 
mined by the function mte. 

var C : Configuration . var T : Time . 

crl [tick] : {C} => {delta (C,T)} in time T if T <= mte(C) A consistent (C) [nonexec] . 

It is important to point out that we only let time advance if the system is in a consistent state, i.e. the 
term consistent (C) evaluates to true if and only if all connected ports are equal in value. The 
functions delta, which models the effect of time elapse on the system state, and mte, which for a system 
state returns the maximal possible time elapse, are defined as usual in object-oriented specifications in 
Real-Time Maude (cf. ifTTl ). e.g. for the class OnOff Timer, we have the following equations: 

eq delta(< o : OnOff Timer I value : t, active : b >, T) 
= < o : OnOff Timer I value : if b then t monus T else t fi, active : b > . 

eq mte(< o : OnOff Timer I value : t, active : b >) 
= if b then t else INF fi . 

4.2 Modeling the Digital Advertising Application 

We show now how the adaptive advertising application of Sect.|2]can be modeled as a component-based 
system in Real-Time Maude by extending the implementation introduced so far. 

The system, cf. Fig. [T] is modeled as a hierarchical component with object identifier SYS. It has 
one outer provided port SYS . imgChange and one outer required port SYS . persThereln. For receiv- 
ing a reconfiguration signal from the inner assembly the system component contains an inner required 
port SYS .reconf . The (timed) state consists of a timer reconf timer which is used to trigger recon- 
figuration of the component after a (fixed) time delay. The inner assembly comprises delegate connec- 
tors (e.g. dl connecting SYS. persThereln and Camera. persThereln), connectors (e.g. cl connect- 
ing Camera. persThere and Interaction. persThere), basic components (e.g. Render), and timed 
components (MonitorOne and MonitorTwo). Each monitor is equipped with a timer, more precisely, 
an object instance of the class OnOff Timer. The purpose of these timers is to count the time when the 
condition for reconfiguration to the other configuration is true. 

op SYS_in_Cl : -> Configuration [ctor] . 
eq SYS_in_Cl = < SYS : Component I 

prov : < SYS . imgChange : Port I value 

req : < SYS. persThereln : Port I value 

tstate : < reconftimer : Timer I value 

innerreq : < SYS. reconf : Port I value 

assembly : 

< dl : DelegateConnector I source : SYS .persThereln, 

target : Camera. persThereln > 



: true > , 
: true > , 
: INF > , 
: false >, 
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< cl : Connector I source : Camera. persThere, 

target : Interaction. persThere > 

< Render : BasicComponent | 

prov : < Render . imgChange : Port I value : true > , 
req : < Render . alterContent : Port I value : true > > 

< Presentation : BasicComponent I 

prov : < Presentation. alterContent : Port I value : true >, 
req : none > 

< MonitorOne : TimedComponent | 

tstate : < mltimer : OnOff Timer I value : INF, active : true >, 
prov : < MonitorOne . reconf : Port I value : false >, 
req : < MonitorOne . gesture : Port I value : true > > 
. . . > . 

The component behavior is defined via equations for the operation beh. Note that beh applied to compo- 
nents which have altered the port values of required ports and have to react accordingly (e.g. beh is called 



in the rule [transmit] , cf. Sect. 4.1 ). For instance, for component Render we define beh by propagat- 
ing the new value of the required port (which has been previously changed by rule [transmit] ) to the 
provided portj^] 

eq beh(< Render : BasicComponent I 

prov : < Render . imgChange : Port I > , 
req : < Render . alterContent : Port I value : b' > >) 
= < Render : BasicComponent I 

prov : < Render . imgChange : Port I value : b ' > , 
req : < Render . alterContent : Port I > > . 

The behavior of the monitor MonitorOne can be defined similarly, with a more involved behavior of the 
timer. MonitorOne is active in configuration Cl and surveys whether there is a person in front of the 
display. If there is no person in front (MonitorOne . gesture becomes false), the timer is initialised with 
2000. Otherwise, if the valuation of port MonitorOne . gesture has changed from false to true and the 
timer has not expired already, the timer is set to infinite (INF), i.e. if time advances (by a finite amount 
of time), the timer is not decreased. 

eq beh(< MonitorOne : TimedComponent | 

tstate : < mltimer : OnOff Timer I value : t, active : B >, 
req : < MonitorOne . gesture : Port I value : b > >) 
= < MonitorOne : TimedComponent I 

tstate : < mltimer : OnOff Timer I value : if (b or (not B)) and t =/= 

then INF else (if t == INF 
then 2000 else t fi) fi > . 

Note that the timer mltimer of MonitorOne is not touched if the timer has expired, i.e. has as value. 
In this case, for a period of 2000 ms, the port valuation of MonitorOne .gesture has been false. To 
guarantee the overall system guarantee (G2) which says that the display's content should change at least 
every ten seconds, the system must be reconfigured. Reconfiguration is signaled to the component SYS 
by setting the value of the port MonitorOne . reconf to true. 

rl [monitorOne- signal] : 

< MonitorOne : TimedComponent | 



"In Real-Time Maude, object instances in terms need not list all attributes; it is valid to omit attributes which are not relevant. 
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tstate : < mltimer : OnOff Timer I value : 0, active : true >, 
prov : < MonitorOne . reconf : Port I value : false > > 

=> 

< MonitorOne : TimedComponent I 

tstate : < mltimer : OnOff Timer I value : INF, active : false >, 
prov : < MonitorOne . reconf : Port I value : true > > . 

This value of the reconfiguration port of the monitor is propagated to the component SYS which then sets 
its reconfiguration timer to 250 ms which models the duration of the reconfiguration process. 

eq beh(< SYS : Component | 

tstate : < reconf timer : Timer | value : t >, 
innerreq : < SYS. reconf : Port | value : true > >) 
= < SYS : Component | 

tstate : < reconftimer : Timer | 

value : if t == INF then 250 else t fi > > . 

The reconfiguration is performed as soon as the timer expires: The reconfiguration timer is set to INF, the 
connectors of configuration 1 are replaced by the connectors configuration 2, and, moreover, the second 
monitor is activated which must observe the component to trigger a reconfiguration back to configuration 
1 if the assumptions of configuration 2 are not met any more. 

rl [reconf -Cl-to-C2] : 

< SYS : Component I tstate : < reconftimer : Timer I value : >, 

assembly : ... connectors of configuration 1 ... 

< MonitorTwo : TimedComponent I 

tstate : < m2timer : OnOffTimer I value : INF, active : false >, ... > 
. . . > 

=> 

< SYS : Component I tstate : < reconftimer : Timer I value : INF >, 

assembly : ... connectors of configuration 2 . . . 

< MonitorTwo : TimedComponent | 

tstate : < m2timer : OnOffTimer I value : INF, active : true >, ... > 
. . . > . 

We omit the rest of the rewrite rules for the remaining components and their equations for beh defining 
their behavior. They are in fact all very similar to the rules presented above. It is, however, worth 
mentioning that the timer of MonitorTwo is set to 500 ms as soon as there is a person detected in front 
of the display. 

So far we have defined the term SYS_in_Cl of sort Configuration and introduced appropriate 
rewrite rules and equations which model the behavior of the hierarchical component. However, it is 
an open component with a required port SYS .persThereln; the overall behavior of component SYS 
depends on how the valuation of SYS .persThereln evolve over time. To allow analysis of the system, 
we add a component ENV which models the environment; it has two ports which are connecting to their 
counterparts of the component SYS, thus yielding a closed system. The initial state is then defined as: 

op initial : -> Configuration [ctor] . 
eq initial = 
SYS_in_Cl 

< ENV : TimedComponent I prov : < ENV. persThereln : Port I value : true >, 

req : < ENV . imgChange : Port I value : true >, 
tstate : < envdtimer : DelayTimer I value : 0, 

delay : 50 > > 
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< C0NN1 : Connector I source 

< C0NN2 : Connector I source 



ENV.persThereln, target : SYS.persThereln > 
SYS . imgChange , target : ENV . imgChange > . 



The behavior of the environment is as follows: Every 50 ms the environment non-deterministically 
choose whether to change the valuation of port ENV.persThereln, or not. This recurring choice after 
50 ms is modeled by a delay timer, always resetting the timer after each choice. 



rl [env-true] : 

< ENV : TimedComponent 
=> 

< ENV : TimedComponent 



tstate : < envdtimer : DelayTimer | value : 0, delay : 50 > > 



tstate : < envdtimer : DelayTimer 
prov : < ENV.persThereln : Port 



value 
value 



50 >, 
true > > 



The rule [env-true] models the choice of ENV to set the value of ENV . persThereln to true; the rule 
[env-false] is analogous. 



For all instantaneous rewrite rules (except those introduced in Sect. 4.1) we require that they are 
triggered by the expiration of a timer which is indeed the case for all the rules in our example. The 
advantage of this schema is that our specifications are time-robust f\M for which analysis techniques 
with the maximal time sampling strategy is complete, i.e. if there is a counterexample of a property to be 
analyzed we will actually find it with the analysis technique. 



5 Analyzing in Real-Time Maude 

Real-Time Maude provides a variety of analysis techniques including simulation through timed rewrit- 
ing, untimed temporal logic model checking, or (unbounded or time-bounded) search for reachability 
analysis. However, for real-time specifications, timed properties expressed in timed temporal logic are, 
of course, of great relevance, e.g. for a flight control system, changes in sensor information must not only 
be reported eventually, but within a specific time bound. Up to know, Real-Time Maude has lacked the 
ability to model check any timed temporal logic formulas. In |[T3l , Lepri et al. show how to model check 
specific classes of timed temporal logic formulas, expressed in metric temporal logic. In the same line as 
|[T3l , we describe how to model check (different) classes of metric temporal logic which will be shown 
useful for analyzing our real-time specification for our case study. 

Metric Temporal Logic (MTL) [10] extends Linear Temporal Logic (LTL) iTTTTl by allowing to de- 
scribe timed properties of paths of a given system which is useful for to specify time-critical systems. 
MTL is more expressive than LTL, for instance, we can state the timed property that some action should 
happen within some time bounds, or that some property should always be satisfied within an interval. 
Formally, the syntax of MTL formulas is the same as the syntax of LTL formulas, except for the until- 
operator where a time interval is added. The formula p Ur^ ^ q states that p U q holds, i.e. p holds 
until q holds, and furthermore, q occurs within the time interval [b\,b2\. Thus, in MTL, time intervals 
are added to all derived operators like □[^ 1 ,/, 2 ] or O^M- 

MTL formulas </> are inductively defined as follows: 

(j) ::= true \ p | -.0 | fa A fa | 01 U{b u h] fa 

where p is a proposition and for time intervals [^1,^2] (and a given time domain T) we allow either 
b\,b2 £ T, b\ < bj and ^2 > 0, or t\ G T and ?2 = 00 ■ Disjunction V and implication — > are defined as 
usual. O[fo!.fo 2 ]0 stands for true U^,,^] <p, and □[fo,,/, 2 ] abbreviates -^(true U[ fol /, 2 j We will write 

U<t (and 0</,, □</,) if the lower bound is 0. 
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We follow |[T3l in the notational conventions for real-time rewrite theories: The set of states of a 
real-time rewrite theory 0t = (L,E,IR,TR) is defined as the set of all terms (modulo the equations in 
E) of type GlobalSystem. A set n of atomic propositions can be defined equationally (in a protecting 
extension of (£,£")), and a labeling function Ln assigns to every state a finite set of propositions in IT (cf. 
El). 

Satisfaction of MTL formulas over timed paths of real-time rewrite theories is defined as follows: 

Definition 1 ( 111310 . Let S%be a real-time rewrite theory, Ln a labeling function on M, and let K = to 
t\ — > ...be a timed path in M. The satisfaction relation of an MTL formula § for the path K in £% is then 
defined recursively as follows: 

&,Ln,7l\= true always holds 

^,L n ,7i^p iffpeL n (t Q ) 

^,L n ,7rh-0 iff^,L u ,n^(t> 

&,L n ,7i^ 0i A 02 iff&,L n ,n^= 0i and &,L n ,n t= 2 

&,Ln, % 1= 0i U\b u b 2 ] $2 iff there exists jeN such that &,Ln, 7l J N 02 

and &,Lji, K (= (pi for all < i < j, and b\ < ^l = o r k < ^2 

For a state to of sort GlobalSystem, the satisfaction relation of an MTL formula § for the state to in & 
is defined as follows: 

&,L n ,to (= <t> Vtt G Paths{M) k) . M,L n ,n^ 

Real-Time Maude does currently not provide an MTL model checker. However, in previous works, 
cf., e.g. 031 . some simple MTL formulas could already be model checked using the time-bounded 
search command or the LTL model checker of Maude. In lfl3l . Lepri et al. present an automatized 
analysis algorithm of two important classes of MTL formulas, namely the bounded response property 
H(p — > (0<fc<?)) and the minimum separation property D{p — > (p W (□<fo-ip))). We extend their ideas 
and present algorithms for two further and more general classes of MTL formulas: 

1. Generalized time-bounded response: □(V,- e /(0<&,<7()) for / = {1,2, ... ,n} C N a finite set of in- 
dices, and 

2. Time-Bounded safety: \3(p V D<bq) 
where qt, q, and p are all atomic propositions of fl. 



In the following sections |5.1| and |5.2[ we will describe the algorithm of the transformation of the 
two classes of MTL formulas to corresponding LTL formulas which are then model checked over the 
transformed rewrite theory So in each case, for each formula belonging to one of the classes, we 
will show that &,Ln, % 1= if and only if &,Ln,7t \= 0, hence it is shown how to modify the rewrite 
theory such that we can use the LTL model checker of Maude to verify . 



5.1 Model Checking MTL Formulas of the Form □(Vie/(0<^)) 

For model checking MTL formulas of the form □(V; 6 /(<)<6,<7;)) for a finite set / of indices, we add a 
single clock c to the system state which will count the elapsed time after each state in which no q\ is 
satisfied. It is indeed possible to restrict oneself to using one single clock by leveraging the observation 
that given a sequence of states t\,...,t n satisfying no qt within the time interval max{Z?,- | i El}, the first 
state si determines the deadlines bj, and hence we can set the single clock c to zero and start it in state 
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si: the first occurrence of a ^-satisfying state s w will also witness the validity of □(V; e /(0<fo,<7;)) in all 
Si states between s\ and s w (i.e. state satisfies the formula for all 1 < i < w). The clock is switched 
off in state s w , and can be switched back on if another state satisfying none of the qfs is found after 
the witness state s w , and restart the counting process. In summary, to model check the MTL formula 
= □ (V;e/(0<i,-#i)) for a path n in a real-time rewrite theory 3%, the following steps are necessary: 
First, to 3% a class Clock, modeling the clock, and corresponding equations are added; second, <p is 
translated to = □(Vj€/(0(<7; A clock < bi))) where clock is an atomic proposition which refers to 
the current time value of the clock; the rewrite rules are transformed to adequately take into account 
the propositions and the clock behavior. The transformation algorithm, called (^-transformation in the 
following, comprises four steps: 

1. A class modeling the clock is added: 

sort ClockStatus . 

ops on off : -> ClockStatus [ctor] . 

class Clock I clock : Time, status : ClockStatus . 

2. The initial state {to} is modified by adding a clock object such that the new initial state is 

{to < c : Clock I clock : 0, status : x >} 

where c is a constant of sort Oid and x is off if {to} 1= \Ji e iqu else on. 

3. The functions delta (modeling the effect of time elapse on a configuration) and mte (computing 
the maximum time elapse for a configuration) are extended for the newly introduced clock object 
as follows: 

eq delta(< c : Clock I status : on, clock : T >, T') = 

< c : Clock I clock : if T <= b max then min(T+T> ,b max +l) else T fi > . 
eq delta(< c : Clock I status : off >, T') = < c : Clock I > . 
eq mte(< c : Clock I >) = INF . 

where b max = max{&; | i 6 /}. 

4. Instantaneous rewrite rules are modified such that the clock is switched on and off depending 
on the target state. Each instantaneous rule t => t' if cond or {t} => {t 1 } if cond in & is 
replaced by the following four rules (where REST is a new variable of type Configuration): 

Rule (1): If the clock is off then the clock stays off if at least one of the #,'s is satisfied. 

{t REST < c : Clock I status : off >} 

=> {t' REST < c : Clock I >} 
if (modelCheck({f' REST},gi) == true or 

modelCheck({f' REST},<7„) == true) and cond . 
Rule (2): If the clock is off then the clock is switched on if none of the g,-'s is satisfied. 

{t REST < c : Clock I status : off >} 

=> {t' REST < c : Clock I clock : 0, status : on >} 
if (not (modelCheck({f' REST} ,gi ) == true or 

modelCheck({f' REST},^„) == true)) and cond . 
Rule (3): If the clock is on then the clock stays on if for all i G /, either qi is not satisfied or the 
time bound is already exceeded. 
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{t REST < c : Clock I clock : T, status : on >} 

=> {*' REST < c : Clock I >} 
if (not ((modelCheck({f' REST},^) == true and (T <= b\)) or 
or 

(modelCheck({f' REST},g„) == true and (T <= £>„)))) and cond . 
Rule (4): If the clock is on then the clock is switched off if at least one of the qfs is satisfied within 
its corresponding time bound 

{t REST < c : Clock I clock : T, status : on >} 

=> {t 1 REST < c : Clock I clock : 0, status : off >} 
if (modelCheck({f' RESTj.gi) == true and (T <= b\)) or 
or 

(modelCheck({f' REST},^) == true and (T <= b„)) and cond . 

Thus, by the above steps 1. to 4. we obtain a real-time rewrite theory ffl, a labeling function Ln 
which is adapted to the transformed state space while the labeling remains unchanged (i.e. Ln({?}) = 
Ln.({t o c i oc k}) where o c i oc k is the added clock), and {to} is the transformed initial state. 

Finally, for model checking the MTL formula we need to add an atomic proposition stating that the 
current clock value is less or equal than a given time value r. 

op clockLeq : Time -> Prop [ctor] . 

eq {< c : Clock I clock : t, status : s > REST} |= clockLeq(b) = (t <= b) . 

The MTL formula □(V;e/(0<b i 9i)) can tnen ^ e m °del checked using Real-Time Maude's untimed LTL 
model checking features, i.e. we check whether the transformed formula holds by invoking 

(mc {fo} l=u 

[] ( (<>(q\ A clockLeq^ ))) 

V ... V 

(<>(<?„ A clockLeq ( b„ ))) ) .) 
which precisely is 3t,Ljj, {to} N □(V( 6 /(C , (?i Aclock < &/))). 

Proof of Correctness of the Transformation. 

Lemma 1 (cf. M13II ). Let & be a real-time rewrite theory, Ln with qi G Tlfor all i G / a labeling function 
for and let {to} be an initial state for Let M, Ln, and {t~o} be the result of the ^-transformation 
applied to 8%, Ln, and to. Then for each path {to} {ti } . . . in ffl there is a path {to} {ft} -V . . . 
in ffl such that, for all i > 0, there exists t- with t, = tf\, and vice versa. 

Proof. We have to show that the transformation does not modify the original timed behavior. This is 
ensured by the following facts: 

• Adding the clock class and a clock object to the initial state does not affact the original part of 
the state, and moreover, the timed behavior of the original system is not affected by the newly 
introduced clock since mte of the clock evaluates to INF. 

• The transformation replaces each rewrite rules by a number of rules with additional conditions. 
However, for each (extended) state to which the original rule is applicable, there is exactly one 
new rule applicable, and furthermore, the new rules treat the original state part as the original rule. 

It follows that the original timed behavior is not modified, in particular, no original paths are blocked by 
the new rules, and conversely, new rules yield the same result for the original part of the state. □ 
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Theorem 1. Let £%be a real-time rewrite theory, Ln a labeling function for & with qi G Ylfor all i G I, 
and {to} an initial state of Let ffl, Ln, and {to} be the result of the -transformation applied to £%, 
Ln, and {to}. Then the following equivalence holds: 

^,L n ,{?o}Nn\/0<^i <^ <%,L~n,{t~o}^0\/<>(qiAclock<bi))) 
iel iel 

Proof "=>•": Assume J , ,L n ,{fo} ^□V, e/ 0(^Ac/ocA: < bi))), we show ^,Ln, {to} ¥ □ Vi G /0<fei^£- 
Let ft = {Iq} {t\} ... be a path in ^ which does not satisfy ieI ()(qi f\ clock < bi))). By 
definition of (= we know that there exists j > such that 7T 7 Vie/ OG?; A c/oc/c < ft/)), i.e. 

V/ G /.Vifc > j.(ft k ^ qi ) V {ft k \f clock < & f ). (1) 

Let / > Obe the smallest index satisfying (1), and therefore, if 7 = then the clock status is off, otherwise 
j > and fti~ l N \J ieI §(qif\clock < bi)). It follows that there exists 7 £ / such that ft 1 N q\l\clock < bj. 
Rule (4) ensures that as soon as this formula is satisfied, the clock status is off, hence the clock status 
in {fj~i} is off, too. It follows that the rewrite step from {tj-i} to {tj} is an instantaneous step of 
the form of rule (2) which sets the clock status to on and the clock value to 0. Furthermore, in both 
cases the clock can only be switched off by rule (4) which can never be applied because of the condition 
V ieili A clock < bi which is - by assumption - not satisfied. We can conclude that, from state {tj} on, 
the clock is continuously on and the clock value equals the elapsed time since {tj}, i.e. the clock value 
is the sum of the durations of the applied tick rules since {? 7 }J^ Therefore, for all i G / and for all k > j, 
ft k t= clock > bi if and only if Yd-] r i > ^i- From (1) it follows 

1 J 

V/ G LV/c > j.(ft k $ qi) V f £ n > bA . (2) 

Hence from (2) we can conclude that ft k \f qi for all k > j such that Y$Zj r i — h,. This implies ft-* \f 
Vie/ §<bi<lh an d then jr ^ □ V, e / 0</j,<?;- By Lemma[TJ there exists a unique path 71 with initial state {to} 
for which % ^ □ V; e /0<6,?(- Finally, it follows £$,Ln, {to} ^ □ Vie/ 0<6,?( which was to be shown. 

"<^" : Assume ^,L n ,{fo} ^ □ V; e /0<6,-9i, we show 3t,L~ii,{to} ¥ □ Vie/^fe Aclock < bi). Let 
71 = { f o} — > { f i } — > • • • be a path in by Lemma[l| we also have a path ft = {to} — »■ {?i }—»... in 
By assumption, n and hence also ?r do not satisfy □ \f ieI 0<2>,<Zi> ie. there exists j > such that 

Mi G /.V* > j.(?c* p qi ) V ( £ 77 > bA . (3) 

Let / > be the minimal index satisfying (3). We show that in {tj} the clock status is on. If j = then the 
clock status is on by definition of the initial state. Now assume j > 0. Then in state {?_,■_ 1 } it must hold 
jt } '~ 1 \= qt for some i G L So the clock status in {?y-i} is off and the clock value is because otherwise, 
if the clock status was on, there would exist a state before j not satisfying (3) and hence contradicting 
our assumption. From (3) it follows that the rewrite step from j — 1 to j is an instantaneous rewrite step, 
switching the clock on (with clock value 0). Since the clock cannot be switched off (the conditions of 
rule (4) are never met from ft-i on), the durations of the tick steps since tj and the clock value are equal. 
It follows that 

V/ G LV/c > j.{ft k ¥qi) V (ft k ^ clock < b? 



which implies &,Ln, {to} ¥ ^ Vie/ ^0?' A clock < bj) which was to be shown. □ 



The clock value will not be greater than max, e /fc, + 1. 
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5.2 Model Checking MTL Formulas of the Form □ (p V U< b q) 

For model checking MTL formulas of the form \J(p V □<£</), we add a single clock which counts the 
minimum time that q needs to be true once p became false. Here, we use the observation that if p was 
false at t\ and becomes false again between t\ and t\ + b, say at t2, q must additionally hold until t2 + b. 
Hence, it is valid to reset the clock at ?2 and thereby enforce that q must hold true for b more time units. 
So to model check the MTL formula <j> = □(/? V □<£,#) for a path 71 in a real-time rewrite theory ^ with 
labeling function Ln, the following steps are necessary: First, to a class Clock, modeling the clock, 
and corresponding equations are added; second, <j) is translated to = D(p V (g W (clock > b))) where 
c/ocfc is an atomic proposition which refers to the current time value of the clock; the rewrite rules are 
transformed to adequately take into account the propositions and the clock behavior. The transformation, 
which we will call [^[-transformation in the following, proceeds as follows. 

1. A class modeling the clock is added (analogous to the O-transformation): 
sort ClockStatus . 

ops on off : -> ClockStatus [ctor] . 

class Clock I clock : Time, status : ClockStatus . 

2. The initial state {to} is modified by adding a clock object such that the new initial state is 

{to < c : Clock I clock : 0, status : off >} 

3. The functions delta and mte are extended for the newly introduced class Clock as follows (again 
analogous to the O-transformation): 

eq delta(< c : Clock I status : on, clock : T >, T') = 

< c : Clock I clock : if T <= b then min(T + T' ,b+l) else T fi > . 
eq delta(< c : Clock I status : off >, T') = < c : Clock I > . 
eq mte(< c : Clock I >) = INF . 

4. Instantaneous rewrite rules are modified such that the clock is switched on and off depending 
on the target state. Each instantaneous rule t => t' if cond or {t} => {t'{ if cond in is 
replaced by the following four rules (where REST is a new variable of type Configuration): 

Rule (1): If in the next state the formula ->p V ->q is satisfied, or in the previous state the formula 
p V -*7 is satisfied, then the clock stays or is switched off. 
{t REST < c : Clock I >} 

=> {t 1 REST < c : Clock I clock : 0, status : off >} 
if (modelCheck({f' REST}, ~ p \/ ~ q) == true or 

modelCheck({f REST},/? \/ ~ q) == true) and cond . 

Rule (2): If the clock is off, it only gets switched on if in the previous state ->p Aq was satisfied 
and in the next state p A q is satisfied. So the clock begins to count if there was a state 
where p was not true (so we need to look for an interval of length > r where q always 
holds) and in the next state p is true (so the formula D(pV d<bq) is satisfied). 
{t REST < c : Clock I status : off >} 

=> {t 1 REST < c : Clock I clock : 0, status : on >} 
if (not (modelCheck({/' REST}, ~ p \/ ~ q) == true or 

modelCheck({f REST},/? \/ ~ q) == true)) and cond . 

Rule (3): If the clock is on and in the next state the formula p A q is satisfied then the clock stays 
on. The clock is only on if we are looking for an interval of length > b such that q is 
satisfied, so we can safely go on with counting the advanced time since we do not "miss" 
any counterexample since p is satisfied in the next state. 
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{t REST < c : Clock I status : on >} 

=> {*' REST < c : Clock I >} 
if modelCheck({f' REST},/? /\ q) == true and cond . 

Thus, by the above steps 1. to 4. we obtain a real-time rewrite theory Si, a labeling function Ln 
which is adapted to the transformed state space while the labeling remains unchanged (i.e. Ln({f}) = 
Ln({t o c i oc k}) where o c / OCJ t is the added clock), and {?o} is the transformed initial state. 

Finally, for model checking the MTL formula we need to add an atomic proposition stating that the 
current clock value is less or equal than a given time value b. 

op clockLeq : Time -> Prop [ctor] . 

eq {< c : Clock I clock : t, status : s > REST} |= clockLeq(fe) = (t <= b) . 

The MTL formula □(pVD^) can then be model checked using Real-Time Maude's untimed LTL 
model checking features, i.e. we check whether the transformed formula holds by invoking 

(mc {f } l=u [] (p \/?« (not clockLeq(M))) .) 
Proof of Correctness of the Transformation. 

Lemma 2 (cf. 11131 ). Let & be a real-time rewrite theory, Ln with p,q £ll a labeling function for Si, 
and let {to} be an initial state for M. Let Si, Ln, and {?o} be the result of the [^-transformation applied 
to Si, Ln, and to. Then for each path {to} {ti} . . . in Si there is a path {to} -h- ... in M 

such that, for all i > 0, there exists t[ with fj = tjt\, and vice versa. 

Proof. Very similar to the proof of Lem. [T] □ 

Theorem 2. Let Si be a real-time rewrite theory, Ln a labeling function for Si with p,q G n, and {to} 
an initial state of Si. Let Si, Ln, and {to} be the result of the ^-transformation applied to Si, Ln, and 
{to}. Then the following equivalence holds: 

S$,L n ,{t }\=n{pVn< b q) <^=> L n , {f } t= □(? V (q\N (clock >b))). 

Proof. "=>•": Let ft = {t } {h} . . . be a path in Si. Assume Si,L~n, {to} U(p V (q W (clock > 
b))), and we show Si,Lu,{to} ty\3(p\/\3<bq). By assumption, 

3j> 0.(ft j \f p) A (3k > j.(ft k tyq)A (ft k \f clock >b)A 

(Vl.j <l<k^(ft I \=q)A(ft l clock > b))). 

Let j € N be the minimal index satisfying the above formula. We know ft J \f p, if in addition & q then 
we are finished because obviously ft-* \f p V D<bq. So assume & 1= q. If j = then the clock status is off 

and the clock value is 0; if j > then the last rewrite step {tj-i} > {tf} must have been the rule (1) 
since -\p is satisfied in tj, i.e. the clock status in tj is off and the clock value is 0. Hence, in any case, we 
know that in U the clock status is off and the clock value is 0. Let k > j be the minimal index such that 
ft k \f q,% k \f clock > b, and V/.j < / < k =>• (ft 1 N q) A (ft 1 \f clock > b); such a k exists by assumption. 

We know that p is not satisfied in tj. If p is not satisfied for all states t m for j < m < k then we can just 
take the state as an counterexample, that is ft k ~ l \f p V 0<j,q. So assume that there exists a maximal 
m with j <m < k such that t m does not satisfy p. Furthermore we can assume that between m and k 
there is at least one tick rule since otherwise, in state t m the proposition p is not satisfied, but also q is not 
satisfied in % which is reachable in zero time. It follows that in this case ft m does not satisfy p V 0<bq 
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and hence there must be a tick rale between t m and t^, and moreover, m<k — 3 (after the with state there 
must be an instantaneous step changing -<p to p, one application of the tick rule, and an instantaneous 
step changing q to -tq). 

It follows that the rewrite step {t m } -A- {t m +{\ switches the clock on (?,„ satisfies and q, and t m+ \ 
satisfies p and, by the above observation that m < k — 3, also q). From the state t m+ \ on the clock counts 
and for all subsequent states up to 4 the clock value equals the duration of the tick rules between t m and 
h- Since, by assumption, ft k t= clock < b, it follows Y!i=m r i < b an d we can conclude that in ft m the 
formula p V 0< r q is not satisfied: p is not satisfied in t m and moreover, q does not hold for all states 
reachable within time b. Thus ft \f D(p V □<£</), and since ft was an arbitrary path in £# with initial state 
{to} it follows from Lemma [I] that ^,L n , {to} ^ □(/> V 

"<^": Assume M,L n ,{to} \fU(j)yU< b q), and we show M,L u ,{f } tyU(p\J (q\N (clock >b))). 
Let 71 = {?o} {ft} -V • • • be a path in By assumption we know 

3j > 0. p) A (lk > j.(% k \fq) A £n < ^ • (1) 

By Lemma[2]there exists a (unique) path ft in ^ satisfying formula (1) (where % is replaced by ft). Let 
j > and & > j be the minimal indices satisfying (1). If 7T ; q then we are finished. Now assume 7T J N 
In ti the proposition /? is not satisfied implying that the clock status in tj is off and the clock value is 0. 
It is clear that the clock value in all states between tj and 4 is at most the sum of the duration of the tick 
steps between tj and 4; moreover, by assumption, for all m£N with j < m < k it holds r i ^ b. It 
follows that ft 1 \f clock > b for all j <l <k. Hence ft^ \f p\l (q\N (clock >b)), and thus we have shown 
that ^,Ln,{fo}pn(pV(?W (clock >b))). □ 

5.3 Completeness and Termination 

The strength of Real-Time Maude is clearly the expressiveness and the generality of the systems that can 
be specified, and moreover, powerful analysis techniques by simulation of specifications. However, the 
drawback of modeling in Real-Time Maude is the fact that, since we are dealing with general classes 
of infinite-state real-time systems, formal analyses are in general incomplete, and sometimes even un- 
sound. In Real-Time Maude, on the one hand, an analysis method is called sound if any counterexample 
found by this method is a real counterexample in the system. On the other hand, an analysis method is 
called complete if the fact that no counterexample is found using this method actually implies that no 
such counterexample exists. For instance, the LTL model checking of a formula is sound, if any coun- 
terexample found by the model checker is a real counterexample in the system. LTL model checking 
of a formula <p is complete, if the fact that the model checker responds that the formula is satisfied, the 
formula is actually satisfied by the system, i.e. there exists no counterexample falsifying (p. 

Sound and complete model checking of time-bounded formulas In |[T6l Olveczky and Meseguer 
have characterized easily checkable conditions for specifications in Real-Time Maude which imply 
soundness and completeness of LTL model checking under the maximal time sampling strategy. Given 
a real-time rewrite theory S%, a labeling function Ln with IT atomic propositions, then model checking 
an LTL formula with the maximal time sampling strategy is sound and complete, if (1) 3& is time- 
robust, and (2) all atomic propositions in IT are tick- stabilizing. Time-robustness of real-time rewrite 
theory intuitively means that time can either advance by any amount, by any amount up to and including 
a specific point in time, or not at all (and this property is not affected by advancing time unless we reach 
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the specific time bound in the second case), and instantaneous rules can only be applied when the sys- 
tem has advanced time by the maximal possible amount. The second condition for sound and complete 
model checking is that all atomic propositions are tick-stabilizing which means that they do not change 
arbitrarily during a maximal time step, more precisely, tick-stabilizing state propositions are allowed to 
change not at all during a maximal time step, or only once. For exact definitions see |[T6ll . 

As our goal is to achieve soundness and completeness of model checking generalized time-bounded 
response and time-bounded safety MTL formulas, it is essential that time-robustness is preserved by both 
0- and □-transformation. 

Theorem 3. Let St be a real-time rewrite theory and let Si be the result of the 0- or ^-transformation 
applied to St. If & is time-robust, then St is time-robust. 

Proof. This assertion is proved by the observation that, according to Lemma [T] and [2j both transforma- 
tions do not change the original timed behavior of St. □ 

We will now sketch a proof that model checking generalized time -bounded response and time- 
bounded safety MTL formulas, with tick-stabilizing atomic propositions, with the real-time system spec- 
ification for our case study as described in the previous sections is indeed sound and complete. 

Theorem 4. Let SI be a component-based real-time rewrite theory St of the form described in Section^ 
and let ^ be a generalized time-bounded response MTL formula or a time-bounded safety MTL for- 
mula with tick- stabilizing atomic propositions. Then time-unbounded model checking of the transformed 
formula (j) w.r.t. the transformed theory St is sound and complete for the maximal time sampling strategy. 

Proof. According to lfl6l it is sufficient to prove that St is time-robust and only has tick-stabilizing 
atomic propositions. 

A component-based real-time rewrite theory St is time-robust since every instantaneous rewrite rule 
is triggered by the expiration of a timer, or by the fact that the system is inconsistent, i.e. at least two con- 
nected ports are not equal in value which can only happen after a previous instantaneous stepj^] Accord- 
ing to Theorem|3} our transformations described in Sect.|5]preserve time-robustness, so the transformed 
theory St is time-robust as well. 

The second condition requires that all atomic propositions are tick-stabilizing. By Lemma [T] and [2] 
both transformations do not change the original time behavior of St hence all atomic propositions remain 
tick-stabilizing. Note that both transformations introduce a new (parameterized) atomic proposition 
clockLeq which, however, is tick-stabilizing, since the truth of clockLeq(ft) for b a time bound is not 
changed during a maximal time step, or only once. □ 

Termination In general, real-time rewrite theories are infinite-state systems for which model checking 
will not terminate. However, if we are dealing with finite-state systems, model checking will terminate. 
More precisely, in a real-time rewrite theory Si with a fixed time sampling strategy, if both the reachable 
state space of St from an initial state {to} and the number of different rewrite durations in all possible 
paths in St from {to} are finite, MTL model checking (of generalized time-bounded response MTL 
formulas or of time-bounded safety MTL formulas) terminates. So if the reachable state space in St 
from an initial state {to} (under a fixed time sampling strategy) is finite, then the reachable state space 
of the transformed real-time rewrite theory St is finite. The main point in the proof of this fact is that 

4 Note that our tick rule deviates from other well-known examples of object-oriented real-time rewrite theories. Beside the 
condition that mte returns a value greater than we require that the system is consistent, i.e. any connected ports are equal in 
value. 
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the clock value is never increased more than necessary: if it exceeds the upper bound (b max , b, resp.) 
then it is not increased any more which does not change the truth of propositions of the form clock > b, 
and ensures that the state space remains finite. For a detailed proof of this fact for a slightly different 
transformation (which however follows the same schema) we refer the interested reader to the work of 
Lepri et al. lTT3l . Thus, in our case study, model checking generalized time-bounded response MTL 
formulas or time-bounded safety MTL formulas with the maximal time sampling strategy will terminate. 

5.4 Model Checking the Requirements of Digital Advertising 

In this section, we briefly describe the analysis of our real-time specification of the digital advertising 
scenario in Real-Time Maude using the untimed LTL model checking command. The analysis has been 
performed on a sing le core processor (3.2GHz Intel® Pentium 4) with 2 GB of RAM. 

Note that the transformations described above require that the real-time object-oriented specifications 
are applied to are. flat specifications in which rewrites happen only in the "outermost" configuration, and 
no rewrite is possible for attribute values. Our real-time specification, however, is non-flat as we are 
dealing with arbitrarily nested, hierarchical components. A simple solution to this problem is to adapt all 
rewrite rules such that they can only be applied at the outermost layer. For hierarchical components, this 
implies that the transmission rule must be duplicated for each layer of the component system (in our case 
study, for two layers). This replication is part of the future work on automatizing our analysis approach. 

As all atomic propositions introduced in the following are tick-stabilizing and moreover, the real-time 
specification of our case study is time -robust, all analysis carried out (using the maximal time sampling 
strategy) are complete, i.e. if the model checking command of a temporal logic formula returns a positive 
result, then the formula is provably correct for all timed paths of the real-time specification. 

Now, we discuss the analysis of our case study. To recall its basic functionality, the digital advertising 
system can be found in one of two configurations: in the first configuration, the system allows the 
user to interact with the displayed content, while the system displays autoactive content in the second 
configuration. 

Verification of the guarantees (Gl) and (G2). The contract to be satisfied by the digital advertising 
system consists of two guarantees: (Gl) Being an interactive ad, the system should react to a user in 
front of the display. (G2) The content displayed must change at least every ten seconds: an advertising 
campaign using a large-scale display should not waste its capabilities by showing static content. 

Verifying the system guarantee (G2) amounts to model check that always eventually the system 
changes the content of the display. This can be model checked by the command 

(mc {initial} I =u [] <> imgChange .) 

where imgChange holds if the value of the provided port ENV . imgChange of the environment component 
is true. However, the guarantee (G2) requires more: the displayed content must change at least every 
ten seconds, so the above LTL formula is obviously insufficient. Instead, the following formula must be 
used: 

□ (0<ioooo "image is changing") 

This formula expresses that the image changes within ten seconds regardless of the current system con- 
figuration. It is worthwhile to investigate, since it is not immediately clear that the system guarantees this 
properties in both configurations and under arbitrary reconfigurations. This can be checked by applying 
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the transformations presented above and executing the command 

(mc {initial_MC} I =u [] <> ( imgChange A clockLeq(lOOOO) ) .) 

where initial_MC is the transformed initial state. The model checking command took 8 minutes to 
complete, and did not find any counterexamples. 
To verify (Gl), we check the property 

□ (□<80o"P erson is in front" — > 0<iooo"configuration 1") 

using the transformations specified above. The property states that if a person stays in front of the display 
for at least 800 milliseconds, the system will be found in interactive mode within one second. Hence, the 
property specifies that the system always guarantees to react to a person in front of it. It can be model 
checked with the command 

(mc {initial_MC} I =u [] ( (<> ( ~ persThereln A 
clockLeq(800))) \/ (<> ( in-Cl A clockLeq(lOOO) ) ) ) .) 

Model checking this property took 6 minutes, and again no counterexample was found in the model of 
our case study. 

Verification of state steadiness (G3). In addition to guaranteeing the system contract, we must assure 
that the system cannot exhibit a behavior in which reconfigurations are continuously performed and 
consume the available computing resources. In order to guarantee that configuration states are reasonably 
stable, two properties (G3) are checked with the help of the above transformations: 

□ ("reconfiguration triggered in conf. 1" — > □<2oo"configuration 1"), 

and similarly for configuration 2. These two properties state that the reconfiguration does not happen 
instantaneously, but must take at least 200 ms to complete. These properties guarantee that the system 
does not oscillate between configurations and that reconfigurations leave enough resources for the actual 
system operation. 

The model checking command for the translated first property is the following: 
(mc {initial_MC> |=u [] ( (~ reconf TriggeredlnCl) \/ (in-Cl W (~ clockLeq(200) ) ) ) .) 

Executing this model checking command took 12 minutes; the second property can be translated and 
model-checked analogously. 

Altogether, it is possible to check all real-time contract guarantees Gl, G2, and G3 with the help of 
transformations and the built-in untimed Maude LTL model-checker. 

6 Related Work 

Pervasiveness and ubiquity of software systems is a topic that has been researched for about two decades 
||2"T1 [T9l [T2l . A more recent stream of research is focusing on leveraging the new sources information 
becoming available through ubiquity of systems, i.e. bio-signals. The ultimate goal is to create biocy- 
bernetic loops [20] in which the system and the user create a feedback loop by influencing each other's 
reactions, adapting the environment in an nonobtrusive way to the needs and ideas of the user without 
requiring explicit interaction. Emotional computing |[T8l is one of the most known manifestations of this 
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principle, but cognitive, and physical aspects can be considered as well in the creation of a biocybernetic 
loop. 

Constructing pervasive user-centric applications J3] and, more general, the construction of self- 
adaptive applications have been a field of active research in recent years. In this work, we follow an 
approach based on reconfiguration of the system in order to achieve adaptability; gives a decent 
overview of various approaches. Formal specification and verification of component-based systems and 
their reconfiguration is presented in several works, e.g. in 0, a logic -based approach to the specification 
of reconfiguration is developed, and in 0, reconfigurable components are verified by model checking 
formulas of the /i-calculus. However, none of these frameworks for the verification of systems under 
reconfiguration use time semantics and therefore, only untimed properties can be verified. 

Specifying systems with metric temporal logic goes back to the work of Koyman in ifTOl and Hooman 
in J9j HI ; in the latter work, a compositional approach to the verification of system components with 
metric temporal logic is presented. However, our work differs from the above works by using a dynamic 
architecture instead of a static one. 

In a previous work liT5ll on specification and verification of systems in Real-Time Maude [7] already 
include ideas and methods how to verify timed temporal logic formulas using the LTL model checker 
of Maude. However, the first automatized transformational approach is presented in ifTBl . which cover 
MTL formulas expressing the bounded response property or the minimum separation property. In this 
work, we have extended the ideas of |[T3ll and presented analysis algorithms for two further and more 
general classes of MTL formulas. 

7 Concluding Remarks 

In the previous sections we have presented a new approach for formally modeling and analyzing perva- 
sive user-centric applicatons at an early design stage. A system is modeled as a set of components which 
interact via connectors between provided and required ports. To allow adaptation of the system to new 
situations, the system can be dynamically reconfigured by changing the connections at runtime. 

For specifying and prototyping such systems in a real-time setting, we use the algebraic rewriting 
language Real-Time Maude. Time-dependent system properties are expressed in Metric Temporal Logic 
(MTL). Real-Time Maude is also well-suited for model checking two practically important classes of 
formulas, the so-called generalized time-bounded response MTL formulas and the time-bounded safety 
MTL formulas. By extending the component-based Real-Time Maude models with suitable clocks and 
by transforming these kinds of MTL formulas into pure LTL formulas over the extended specification 
we have shown that these two classes of formulas can be analyzed with the (untimed) Maude LTL model 
checker, and that this analysis is sound, complete and terminating for the maximal time sampling strategy. 

As case study we have specified a simple adaptive advertising scenario in Real-Time Maude and 
could automatically verify all three requirements (G1-G3) with the Maude model checker by using 
our analysis method. However, the execution of the model checking command took in all cases sev- 
eral minutes although we had already abstracted all values to boolean data. For more complex case 
studies, further optimizations will be necessary to make model checking a practically feasible analysis 
method. One simple, but efficient technique is to replace each model checking command, mc say, of 
form modelCheck(t ' REST, q) in a condition of a rule of the extended theory M by a boolean ex- 
pression; indeed, each q is a state formula which can easily defined as a boolean function is-q such that 
is-q(t ' REST) is true iff mc is true. Another technique is to reduce the nondeterminism in hierarchi- 
cal components by directly connecting the ports of the environment with their corresponding ports of 
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the subcomponents (e.g. ENV.personThereln with Camera.personThereln). The resulting specification, 
M say, is stuttering equivalent (see e.g. iTPflO with the original one; model checking M is a matter of 
seconds, not of minutes. 

The metric temporal logic properties in this paper take only non-trivial upper bounds into account; 
the lower bound of any interval is 0. A "natural" extension of our work will be the study of metric 
properties over intervals with non-null lower bounds. Another interesting future work will be models 
with time-dependent probabilistic behavior. Pervasive user-centric applications interface with the real 
world through sensors and actuators, which may be unreliable. With a probabilistic real-time frame- 
work, it would be possible to model this uncertain behavior of the environment, and reason about the 
performance of pervasive user-centric applications in these environments. 
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